The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

Lookout CEO John Hering, posing in front of the Bluesniper rifle he and his friends once used to hack phones from hundreds of yards away. Billionaire backer Vinod Khosla says Hering and his co-founder "smell like entrepreneurs with a very long vision."

"Symantec has no taste," says 29-year-old entrepreneur John Hering, borrowing an insult Steve Jobs famously lobbed at Microsoft. The shoe fit then, and Hering thinks it fits another foot now. "When you look at their user experience, design, marketing, everything. Their products are oriented around fear."

Fear, or the deliverance from it, has always been a huge selling point for antivirus software. But as the computing world shifts from PCs to mobile devices, Lookout has been able to trounce multibillion-dollar security giants like McAfee and Symantec without scaring people. Instead, the startup has wooed users with a slick interface and free features like data backups and find-my-phone tools. It was born in a different era, when free mobile apps proliferate through word of mouth, not crapware PC installations by computer makers and ads for shrink-wrapped software. "We actually built a security product that people want to use," says Hering.

Hering and his two cofounders have amassed more than 30 million mobile users--close to 20 million more than either of those competitors--with more than a million added every month. Thanks to what it says is a high single-digit percentage of users that upgrade to its paid version, the company has raised $76.5 million in rounds led by Khosla Ventures, Andreessen Horowitz, Index Ventures and Accel Partners, drawing murmurs of a billion-dollar valuation. (Hering describes that number only as "concretely within the ballpark.")

With carriers such as T-Mobile, Orange and Deutsche Telekom now preloading Lookout on some or all of their Android phones, and Sprint to come later in 2013, Lookout seems poised to own the consumer smartphone security industry. Now it just has to prove that such an industry exists--before its business is swallowed up or squashed by Google, the company that made its success possible in the first place.

Mobile security has evolved in the last few years from a solution in search of a problem to a near necessity for the 54% of smartphone users with Android devices. While Apple's iOS has remained virtually malware-free, German antivirus auditors AV-Test count tens of thousands of new Android malware variants a year, up from fewer than 100 in 2009.

Lookout, armed with a constantly refreshed data set from the tens of millions of its Android users who opt to upload new threat info, has been the first to spot many of those malware outbreaks. In 2011 it revealed a collection of 50 scam apps, known as Droid Dream, in the Android Market, now renamed Google Play. The same year it was the first to discover the text-sending malware GGTracker, which had infected 1 million phones. And when Symantec declared it had spotted a collection of as many as 5 million phones infected with a piece of malware called Counterclank, it was Lookout that deflated Symantec's claim by showing that the apps were actually just an aggressive ad network. Lookout's detection rates, according to AV-Test, rank among the highest of any mobile antivirus software, tied with McAfee and ahead of Symantec as of March 2012.

Hering and his cofounders, Kevin Mahaffey and James Burgess, saw the potential in mobile protection long before Google entered the smartphone market. In early 2005 the three University of Southern California students spotted a vulnerability in Nokia handsets that allowed unauthorized devices to access them via Bluetooth. Nokia ignored their warnings until they put a laptop with a high-powered Bluetooth antenna in a bag and walked around the red carpet of the Academy Awards, collecting evidence of the bug from hundreds of celebrities' hackable phones.

The trio went on to launch Lookout in 2007 and hooked users early with practical features like automatic data backups and find-my-phone capability. The latest version can send up a GPS "signal flare" just before a phone's battery runs out or use a phone's front-facing camera to automatically snap a picture of any thief who guesses at the phone's login code, e-mailing the mug shot to the phone's owner.

Now Lookout wants to lock in its success with an ongoing "app genome project," the scanning of every Android application in the world, whether on a user's phone, in app stores or on the Web. Lookout runs the programs in quarantined sandboxes, comparing snippets of code and network connections among 5 million apps and pulling evil needles out of Android's mushrooming haystack of programs. "We thought we'd look at this as a data mining problem and use lots of correlations that are very hard for bad guys to evade," says Mahaffey, Lookout's chief technology officer.

Google isn't about to cede the security of its operating system to third parties. In February of last year it launched Bouncer, a malware scanner to screen new apps submitted to Google Play. A version of Android released in November includes a verification service that quietly checks every program downloaded to the phone, from both Google Play and the untamed Web. Google can zap rogue apps remotely if it so chooses. Hiroshi Lockheimer, vice president of engineering for Android, doesn't believe users necessarily need antivirus on their Android phones.

"Redundancy might not be a bad thing for security," Lockheimer says politely, "but I personally don't use added security products, and don't recommend that my parents or wife do, either." Gartner analyst John Pescatore doesn't see a mobile antivirus software market ever reaching the size it did on PCs. "If you look at the things Lookout is trying to do," he says, "Google is doing them."

Except it's not doing them very well right now. Several researchers have demonstrated simple tricks to sneak malware past Google's Bouncer. And in a recent North Carolina State University study, Google's app verification caught a measly 15% of bad apps, underperforming every other scanner tested.

Lookout has options. Hering hints that his startup could become the security layer for the long-discussed Internet of Things, a world where everything from your thermostat to your car is networked. Many of those devices, such as Amazon's tablets or phones built by Chinese search firm Baidu, run Android in flavors that are out of Google's control; Lookout now offers an app for the Kindle Fire. The company and its investors float other ideas like phone insurance or even building a more secure version of Android. "What everyone knows about Lookout today," says Hering, "is 5% of what we will be."